misc: check order_by parameter is a correct identifier (#42825)

tests/test_backoffice_pages.py

@@ -505,6 +505,9 @@ def test_backoffice_listing_order(pub):
     ids = [x.strip('/') for x in re.findall(r'data-link="(.*?)"', resp.text)]
     assert ids == list(reversed(last_update_time_order))
 
+    # try invalid values
+    resp = app.get('/backoffice/management/form-title/?order_by=toto.plop', status=400)
+
 
 def test_backoffice_listing_anonymised(pub):
     if not pub.is_using_postgresql():

wcs/api.py

@@ -263,8 +263,8 @@ class ApiFormsDirectory(Directory):
         limit = misc.get_int_or_400(get_request().form.get('limit',
                 get_publisher().get_site_option('default-page-size') or 20))
         offset = misc.get_int_or_400(get_request().form.get('offset', 0))
-        order_by = get_request().form.get('order_by',
-            get_publisher().get_site_option('default-sort-order') or '-receipt_time')
+        order_by = misc.get_order_by_or_400(get_request().form.get('order_by',
+            get_publisher().get_site_option('default-sort-order') or '-receipt_time'))
 
         formdatas = sql.AnyFormData.select(criterias, order_by=order_by, limit=limit, offset=offset)
         if get_query_flag('ignore-roles'):

wcs/backoffice/management.py

@@ -359,7 +359,7 @@ class UsersViewDirectory(Directory):
         limit = misc.get_int_or_400(get_request().form.get('limit',
                 get_publisher().get_site_option('default-page-size')) or 20)
         offset = misc.get_int_or_400(get_request().form.get('offset', 0))
-        order_by = get_request().form.get('order_by', None) or 'name'
+        order_by = misc.get_order_by_or_400(get_request().form.get('order_by', None)) or 'name'
         query = get_request().form.get('q')
 
         get_response().filter['sidebar'] = self.get_search_sidebar(
@@ -860,8 +860,8 @@ class ManagementDirectory(Directory):
         limit = misc.get_int_or_400(get_request().form.get('limit',
             get_publisher().get_site_option('default-page-size') or 20))
         offset = misc.get_int_or_400(get_request().form.get('offset', 0))
-        order_by = get_request().form.get('order_by',
-            get_publisher().get_site_option('default-sort-order') or '-receipt_time')
+        order_by = misc.get_order_by_or_400(get_request().form.get('order_by',
+            get_publisher().get_site_option('default-sort-order') or '-receipt_time'))
 
         criterias = self.get_global_listing_criterias()
         criterias.append(Null('anonymised'))  # exclude anonymised forms
@@ -1681,7 +1681,7 @@ class FormPage(Directory):
         else:
             limit = misc.get_int_or_400(get_request().form.get('limit', 0))
         offset = misc.get_int_or_400(get_request().form.get('offset', 0))
-        order_by = get_request().form.get('order_by')
+        order_by = misc.get_order_by_or_400(get_request().form.get('order_by'))
         if self.view and not order_by:
             order_by = self.view.order_by
         if not order_by:
@@ -2057,7 +2057,7 @@ class FormPage(Directory):
         user = get_user_from_api_query_string() or get_request().user if not anonymise else None
         selected_filter = self.get_filter_from_query(default='all')
         criterias = self.get_criterias_from_query()
-        order_by = get_request().form.get('order_by', None)
+        order_by = misc.get_order_by_or_400(get_request().form.get('order_by', None))
         if self.view and not order_by:
             order_by = self.view.order_by
         query = get_request().form.get('q') if not anonymise else None

wcs/qommon/misc.py

@@ -807,3 +807,11 @@ def get_int_or_400(value):
         return int(value)
     except ValueError:
         raise RequestError()
+
+
+def get_order_by_or_400(value):
+    if value is None:
+        return None
+    if not re.match(r'-?[a-z_-]+$', value):
+        raise RequestError()
+    return value